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DETAILED ACTION 

1 . Claims 1-23 have been examined. 

Double Patenting 

2. Claims 1-8, 9-18, and 20-23 are provisionally rejected under the judicially created 
doctrine of obviousness-type double patenting as being unpatentable over claims 1-8, 
10-19, and 21-24 of copending Application No. 10/001,350. Although the conflicting 
claims are not identical, they are not patentably distinct from each other because the 
subject matter claimed in the instant application is fully disclosed in the referenced 
copending application. 

This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 

The subject matter claimed in the instant application is fully disclosed in the 
referenced copending application and would be covered by any patent granted on that 
copending application since the referenced copending application and the instant 
application are claiming common subject matter, as follows: the copending application 
discloses a method of displaying data, comprising: capturing and decoding data, 
correlating data components, retrieving a web-browser template, and graphically 
displaying the correlated decoded data; the instant application discloses a method of 
displaying data, comprising: capturing and decoding data, correlating data components, 
and graphically displaying the correlated decoded data. 

Claims 1-8, 9-18, and 20-23 of the instant application are envisioned by 
copending Application No. 10/001, 350's claims 1-8, 10-19, and 21-24 in that claims 1-8, 



Application/Control Number: 10/002,064 Page 3 

Art Unit: 2136 

10-19, and 21-24 of the copending application contain all the limitations of claims 1-8, 9- 
18, and 20-23 of the instant application. Claims 1-8, 9-18, and 20-23 of the instant 
application therefore are not patently distinct from the copending application claims and 
as such are unpatentable for obvious-type double patenting. 

Specification 

The disclosure is objected to because of the following informalities: pages 1-2 
recite docket numbers; please add serial application numbers; page 7 is missing the 
serial application numbers (lines 22 and 26). Appropriate correction is required. 

Drawings 

3. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(4) 
because reference character "18" has been used to designate both "storage device or 

l 

database" (Fig 1) and "HTML" (Fig 2). Corrected drawing sheets in compliance with 37 
CFR 1 .121 (d) are required in reply to the Office action to avoid abandonment of the 
application. Any amended replacement drawing sheet should include all of the figures 
appearing on the immediate prior version of the sheet, even if only one figure is being 
amended. Each drawing sheet submitted after the filing date of an application must be 
labeled in the top margin as either "Replacement Sheet" or "New Sheet" pursuant to 37 
CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be 
notified and informed of any required corrective action in the next Office action. The 
objection to the drawings will not be held in abeyance. 

4. The drawings are objected tb as failing to comply with 37 CFR 1 .84(p)(5) 
because they include the following reference character(s) not mentioned in the 
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description: 124 (Fig. 5). Corrected drawing sheets in compliance with 37 CFR 
1.121(d), or amendment to the specification to add the reference character(s) in the 
description in compliance with 37 CFR 1.121(b) are required in reply to the Office action 
to avoid abandonment of the application. Any amended replacement drawing sheet 
should include all of the figures appearing on the immediate prior version of the sheet, 
even if only one figure is being amended. Each drawing sheet submitted after the filing 
date of an application must be labeled in the top margin as either "Replacement Sheet" 
or "New Sheet" pursuant to 37 CFR 1.121(d). If the changes are not accepted by the 
examiner, the applicant will be notified and informed of any required corrective action in 
the next Office action. The objection to the drawings will not be held in abeyance. 
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Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, 
manufacture, or composition of matter, or any new and useful improvement 
thereof, may obtain a patent therefor, subject to the conditions and requirements 
of this title. 

6. Claims 1-23 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. Claims 1, 9, and 16 state "decipherable by 
humans", this is considered non-statutory subject matter. Dependent claims 2-8, 10-15, 
and 17-23 are rejected based on their dependency from claims 1, 9, and 16 
respectively. 

7. To expedite a complete examination of the application, the claims rejected under 
35 U.S.C. 101 (non-statutory) above are further rejected as set forth below in 
anticipation of applicant amending these claims to place them within the four statutory 
categories of invention. 
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Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

9. Claims 1, 5-9, 12-16, and 19-23 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Maloney et al. (US Patent Number: 6,269,447), and further in view of 
Cooper et al. (US Publication Number: 2004/0103315). 

Regarding claim 1 , Maloney et al. teach a method of displaying data related to an 
intrusion event on a computer system, comprising: capturing data related to the 
intrusion event (column 4, lines 34-37); decoding the captured data from a first 
predetermined format to a second predetermined format decipherable by humans, the 
decoded data comprising data components of intrusion signature, data summary, and 
detailed data (column 4, lines 34-40); correlating data components of the intrusion 
signature, data summary and detailed data to one another (column 4, lines 53-60). 
Maloney et al. do not expressly disclose retrieving an web browser-based template; and 
graphically displaying the correlated decoded data components using the web browser- 
based template. Maloney et al. teach graphically displaying the correlated data 
components (column 4, lines 47-53), but are not specific as to using a browser. 
However, Cooper et al. teach retrieving an web browser-based template (page 5, 
paragraphs 88-90); and graphically displaying the correlated decoded data components 
using the web browser-based template (page 5, paragraphs 88-90). Therefore, it would 
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have been obvious to one having ordinary skill in the art at the time the invention was 
made to use web browser-based templates to graphically display correlated data. One 
of ordinary skill in the art would have been motivated to do so to provide an end user a 
tool to review reports from the end user's host computer as disclosed by Cooper et al. 
(page 2, paragraph 38, page 5, paragraph 90). 

Regarding claim 5, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein capturing data comprises capturing network data packets of the intrusion event 
(column 4, lines 34-37, column 7, lines 23-27). 

Regarding claim 6, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data from a 
binary format to a human-readable text format (column 6, lines 8-20). 

Regarding claim 7, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data to decoded 
data having a data link layer protocol header, a network layer protocol header, a 
network layer protocol data summary, and packet data in hexadecimal format (column 
4, lines 24-33, column 7, lines 65-67, column 8, lines 1-12). 

Regarding claim 8, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data to decoded 
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data having an Ethernet header, an IP header, an IP data summary, and packet data in 
hexadecimal format (column 4, lines 24-33, column 7, lines 65-67, column 8, lines 1- 
12). 

Regarding claim 9, Maloney et al. teach a method of displaying data of an 
intrusion detection system, comprising: capturing, from a network, data related to an 
intrusion event in response to detecting an intrusion signature in the network data 
(column 4, lines 34-37); decoding the captured data from a predetermined format to a 
human-readable format, the decoded data comprising data components of network 
header data, data summary, and detailed data (column 4, lines 34-40); determining a 
correlation relationship between the data components of the intrusion signature, 
network header data, data summary and detailed data to one another (column 4, lines 
53-60). Maloney et al. do not expressly disclose displaying the correlated decoded data 
components by using a web browser-based template. Maloney et al. teach graphically 
displaying the correlated data components (column 4, lines 47-53), but are not specific 
as to using a browser. However, Cooper et al. teach displaying the correlated decoded 
data components by using a web browser-based template (page 5, paragraphs 88-90). 
Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to use web browser-based templates to graphically display 
correlated data. One of ordinary skill in the art would have been motivated to do so to 
provide an end user a tool to review reports from the end user's host computer as 
disclosed by Cooper et al. (page 2, paragraph 38, page 5, paragraph 90). 
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Regarding claim 12, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 9 above. Furthermore, Maloney et al. teach 
wherein capturing data comprises capturing network data packets of the intrusion event 
in response to detecting the presence of a predetermined data pattern in the network 
data packet (column 4, lines 34-37, column 2, lines 23-33, column 12, lines 21-42). 

Regarding claim 13, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 9 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data from a 
binary format to a text format (column 6, lines 8-20). 

Regarding claim 14, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 9 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data to decoded 
data having a data link layer protocol header, a network layer protocol header, a 
network layer protocol data summary, and packet data in hexadecimal format (column 
4, lines 24-33, column 7, lines 65-67, column 8, lines 1-12). 

Regarding claim 15, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 9 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data to decoded 
data having an Ethernet header, an IP header, an IP data summary, and packet data in 
hexadecimal format (column 4, lines 24-33, column 7, lines 65-67, column 8, lines 1- 
12). 
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Regarding claim 16, Maloney et al. teach a system of presenting data of an 
intrusion detection system, comprising: a network driver capturing data related to an 
intrusion event upon detecting a predetermined intrusion signature (column 7, lines 23- 
27, column 2, lines 23-33, column 12, lines 21-42); a decode engine decoding the 
captured data from a predetermined format to a predetermined format decipherable by 
humans, the decoded data comprising data components of intrusion event data, data 
summary, and detailed data (column 4, lines 34-40); and a user interface graphically 
correlating data components of the intrusion signature, intrusion event data, data 
summary and detailed data to one another (column 4, lines 53-60). Maloney et al. do 
not expressly disclose displaying the correlated decoded data components according to 
a web browser-based format. Maloney et al. teach graphically displaying the correlated 
data components (column 4, lines 47-53), but are not specific as to using a browser. 
However, Cooper et al. teach displaying the correlated decoded data components 
according to a web browser-based format (page 5, paragraphs 88-90). Therefore, it 
would have been obvious to one having ordinary skill in the art at the time the invention 
was made to use web browser-based templates to graphically display correlated data. 
One of ordinary skill in the art would have been motivated to do so to provide an end 
user a tool to review reports from the end user's host computer as disclosed by Cooper 
et al. (page 2, paragraph 38, page 5, paragraph 90). 

Regarding claim 19, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 16 above. Furthermore, Cooper et al. teach the 
system, as set forth in claim 16, further comprising a web server operable to transmit a 
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file in a web-browser displayable format having the correlated and decoded data 
components (page 5, paragraph 90). 

Regarding claim 20, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 16 above. Furthermore, Maloney et al. teach the 
system, as set forth in claim 16, wherein the network driver captures network data 
packets of the intrusion event in response to the intrusion detection system detecting a 
predetermined data pattern corresponding to the predetermined intrusion signature 
(column 7, lines 23-27, column 2, lines 23-33, column 12, lines 21-42). 

Regarding claim 21 , the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 16 above. Furthermore, Maloney et al. teach the 
system, as set forth in claim 16, wherein the decode engine decodes the captured data 
from a binary format to a human-readable text format (column 6, lines 8-20). 

Regarding claim 22, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 16 above. Furthermore, Maloney et al. teach the 
system, as set forth in claim 16, wherein the decode engine decodes the captured data 
to decoded data components having a data link layer protocol header, a network layer 
protocol header, a network layer protocol data summary, and packet data in 
hexadecimal format (column 4, lines 24-33, column 7, lines 65-67, column 8, lines 1- 
12). 

Regarding claim 23, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 16 above. Furthermore, Maloney et al. teach the 
system, as set forth in claim 16, wherein the decode engine decodes the captured data 
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to decoded data components having an Ethernet header, an IP header, an IP data 
summary, and packet data in hexadecimal format (column 4, lines 24-33, column 7, 
lines 65-67, column 8, lines 1-12). 

1 0. Claims 2-4, 10-11, and 1 7-1 8 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Maloney et al. and Cooper et al. as applied to claims 1 , 9 
respectively above, and further in view of Slodowski et al. (US Patent Number: 
6,775,583). 

Regarding claim 2, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Maloney et al. and Cooper et al. do not 
disclose expressly graphically displaying the correlated decoded data components 
comprises graphically highlighting correlated data components of intrusion signature, 
data summary and detailed data. However, Slodowski et al. teach wherein graphically 
displaying the correlated decoded data components comprises graphically highlighting 
correlated data components of intrusion signature, data summary and detailed data 
(column 5, lines 13-43). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to graphically display data, highlighting 
correlated data. One of ordinary skill in the art would have been motivated to do so to 
provide users with an easy to learn, easy to handle, and comfortable data arrangement 
(Slodowski et al., column 2, lines 54-67). 

Regarding claim 3, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Maloney et al. and Cooper et al. do not 
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disclose expressly wherein graphically displaying the correlated decoded data 
components comprises: receiving a user input selecting a displayed data component; 
and graphically highlighting data components correlated to the selected data 
component. However, Slodowski et al. teach wherein graphically displaying the 
correlated decoded data components comprises: receiving a user input selecting a 
displayed data component; and graphically highlighting data components correlated to 
the selected data component using the web browser-based template (column 5, lines 
13-43). Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to graphically display data, highlighting correlated data. 
One of ordinary skill in the art would have been motivated to do so to provide users with 
an easy to learn, easy to handle, and comfortable data arrangement (Slodowski et al., 
column 2, lines 54-67). 

Regarding claim 4, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Maloney et al. and Cooper et al. do not 
disclose expressly wherein graphically displaying the correlated decoded data 
comprises: receiving a user input selecting a displayed data component; graphically 
highlighting the user selected data component using the web browser-based template; 
and graphically highlighting data components correlated to the selected data component 
using the web browser-based template. However, Slodowski et al. teach wherein 
graphically displaying the correlated decoded data comprises: receiving a user input 
selecting a displayed data component; graphically highlighting the user selected data 
component using the web browser-based template; and graphically highlighting data 
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components correlated to the selected data component using the web browser-based 
template (column 5, lines 13-43). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to graphically display data, 
highlighting correlated data. One of ordinary skill in the art would have been motivated 
to do so to provide users with an easy to learn,* easy to handle, and comfortable data 
arrangement (Slodowski et al., column 2, lines 54-67). 

Regarding claim 10, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 9 above. Maloney et al. and Cooper et al. do not 
disclose expressly wherein graphically displaying the correlated decoded data 
comprises: receiving a user input selecting a displayed data component; and graphically 
highlighting all data components correlated to the selected data component using an 
HTML template. However, Slodowski et al. teach wherein graphically displaying the 
correlated decoded data comprises: receiving a user input selecting a displayed data 
component; and graphically highlighting all data components correlated to the selected 
data component using an HTML template (column 5, lines 13-43). Therefore, it would 
have been obvious to one having ordinary skill in the art at the time the invention was 
made to graphically display data, highlighting correlated data. One of ordinary skill in the 
art would have been motivated to do so to provide users with an easy to learn, easy to 
handle, and comfortable data arrangement (Slodowski et al., column 2, lines 54-67). 

Regarding claim 1 1, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 9 above. Maloney et al. and Cooper et al. do not 
disclose expressly wherein graphically displaying the correlated decoded data 
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comprises: receiving a user input selecting a displayed data component; graphically 
highlighting the user selected data component; and graphically highlighting data 
components correlated to the selected data component. However, Slodowski et al. 
teach wherein graphically displaying the correlated decoded data comprises: receiving a 
user input selecting a displayed data component; graphically highlighting the user 
selected data component; and graphically highlighting data components correlated to 
the selected data component (column 5, lines 13-43). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to 
graphically display data, highlighting correlated data. One of ordinary skill in the art 
would have been motivated to do so to provide users with an easy to learn, easy to 
handle, and comfortable data arrangement (Slodowski et al., column 2, lines 54-67). 

Regarding claim 17, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 16 above. Maloney et al. and Cooper et al. do not 
disclose expressly wherein the user interface graphically highlights correlated data 
components of intrusion event data, data summary and detailed data. However, 
Slodowski et al. teach wherein the user interface graphically highlights correlated data 
components of intrusion event data, data summary and detailed data (column 5, lines 
13-43). Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to graphically display data, highlighting correlated data. 
One of ordinary skill in the art would have been motivated to do so to provide users with 
an easy to learn, easy to handle, and comfortable data arrangement (Slodowski et aL, 
column 2, lines 54-67). 
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Regarding claim 18, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 16 above. Maloney et al. and Cooper et al. do not 
disclose expressly wherein the user interface is operable to receive a user input 
selecting a displayed data component, and graphically highlights all data components 
correlated to the selected data component using a web-based display template. 
However, Slodowski et al. teach wherein the user interface is operable to receive a user 
input selecting a displayed data component, and graphically highlights all data 
components correlated to the selected data component using a web-based display 
template (column 5, lines 13-43). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to graphically display data, 
highlighting correlated data. One of ordinary skill in the art would have been motivated 
to do so to provide users with an easy to learn, easy to handle, and comfortable data 
arrangement (Slodowski et al., column 2, lines 54-67). 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David G. Cervetti whose telephone number is (571) 272- 
5861. The examiner can normally be reached on Monday-Friday 7:00 am - 5:00 pm, off 
on Wednesday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on (571) 272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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